To Allow Grace Authentications When
Passwords Expire

This procedure describes how to give users grace authentications, allowing
users to change passwords that have expired.

The grace authentications are intended to be managed by an application
that handles password policy request and response controls. The procedure
shows a simple example of how to use the control in an application.

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

Make sure that users have access to an application that uses password
policy request and response controls.

The application should ensure
that users handle grace authentications properly.

Allow the application to use the password policy controls.

The following commands set an ACI to allow members of a Password
Managers role to use the password policy controls: